An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Monthly Archives: February 2008

According to this recent article at Washingtonpost.com, a few months ago, a woman uploaded some pictures of her children skinny-dipping, along with about 50 other photos, to the online photo site Flickr. The woman was careful to mark those pictures of her children as "private". However, a couple of weeks ago she noticed that the private pictures had been viewed thousands of times, while the other photos only had about 20 hits.

Different photo-sharing websites have different policies regarding the privacy of photos. Flickr, for example, automatically designates all online photos as public unless otherwise specified. Other sites such as Shutterfly and Snapfish keep photos private unless the user indicates that they can be shared.

It turns out strangers can access a photo- whether public or private- if they have the full URL. Figuring out the exact URL, which usually contains random numbers and letters, is difficult but not impossible.

As expected, the EU’s Article 29 Working Party has released a decision that search engines are subject to the obligations of the Data Protection Directive. The Working Party explains that the data search engines collect — IP address and a search profile — is considered personal information in Europe, not purely anonymous data as the search engines have maintained. It issued a preliminary release on the subject, and is expected to issue a full report in the next few months.

Valleywag reports on the pending introduction of Google Health’s pilot program, in which they’ll store the health records of of 1500 to 10,000 patients at the Cleveland Clinic. But Valleywag (and, for more information, this SF Chronicle article) discusses the privacy implications of Google’s plan: As a non-healthcare provider, Google (and any other third-party provider of these kinds of services) isn’t subject to the privacy protections of HIPAA. The lack of one protection in particular, the requirement that health care providers notify a subject when his or her health records are subpoena’d, means that it will be easier for third parties to gain access to your medical data in ways that could be detrimental to you.

Microsoft and AOL have their own portable health information products in the works.

Another of Harrington’s pronouncements at the DMA conference (as reported by Mediapost) was on the FTC’s recent foray into regulation of behavioral targeting. She indicated that the FTC may not be convinced that behavioral advertising is in and of itself a privacy violation for consumers. Congress’s declining to consider legislation on the matter may indicate that the FTC should focus on cases where the harm to consumers is more clear. But she stated that industry groups must come up with self regulatory principles for greater transparency and meaningful choice.

Deputy Director of Consumer Protection Eilieen Harrington’s appearance before the Direct Marketing Association’s Email Evolution conference provided a wealth of information about the FTC’s orientation on current hot topics in privacy on Tuesday. Mediapost reported her pronouncement that the FTC considers security of consumer data to be "of the greatest and highest concern" for enforcement, pointing to its pursuit of big-name companies like Microsoft for security breaches.

Privacy Laws & Business reports that this may be the year China enacts its proposed EU-model data protection law, covering both public and private sectors. The proposed law addresses the transfer of personal data to other countries and establishes subject access rights and remedies.

When Eli Lilly & Co. saw that its confidential settlement talks with the government made front-page news in the New York Times, they accused federal officials of leaking the information. However, an investigation by the company found that the source of the leak was one of its outside lawyers. Apparently the lawyer writing the e-mail meant to send the confidential information to her co-counsel at another firm, but instead sent the e-mail to a reporter at the New York Times. The reporter claims that, although he did receive an e-mail from the firm, it did not contain a detailed description of the status of the settlement talks, and that he actually got his information from other sources.

Eli Lilly & Co. is in negotiations with the government over alleged marketing improperties. They are accused of improperly marketing their most popular drug, Zyprexa, for schizophrenia.

In an unrelated but similar incident in 2002, Eli Lilly settled with the FTC and eight state attorneys general after an employee unintentionally released e-mail address of nearly 700 subscribers to its prozac.com e-mail alert.